Yeah, bridging a dead end.
iptables and dnsmasq (also handling DHCP) are the direction I'm going now, plus sysctl.conf changes to harden, and using the router just as an access point ...not as complex or scary as I first thought, now I'm getting my hands dirty with it. My fixed approach was the main problem, I think.
The linux mist is clearing a little in doing all this. I'm still not quite Neo when he finally gets the matrix, but it's there somewhere ahead...somewhere
I'll post up my script when I get chance to get back on it. Life's conspiring somewhat at the moment.